ci(*): update llvm-build-bump-pr.yml to enhance permissions and add build provenance attestations
#265
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… build provenance attestations
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
PR Overview
This pull request enhances the LLVM build workflow by updating permissions and incorporating build attestations to ensure the integrity of uploaded artifacts.
- Updated workflow permissions to include id-token and attestations writes
- Added unique IDs to artifact upload steps and incorporated actions/attest-build-provenance for build provenance attestations
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/llvm-build-bump-pr.yml | Updates to permissions and workflow steps to enable build attestations and improved artifact handling |
Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (2)
.github/workflows/llvm-build-bump-pr.yml:118
- Verify that actions/upload-artifact@v4 produces the 'artifact-digest' output; if not, consider computing or providing the digest explicitly to ensure the attestation step receives valid data.
subject-digest: sha256:${{ steps.upload-clang-format-git.outputs.artifact-digest }}
.github/workflows/llvm-build-bump-pr.yml:109
- [nitpick] While step IDs are scoped per job, the repeated use of 'upload-clang-format-git' in multiple jobs may reduce clarity; consider incorporating additional context (e.g., platform or job name) in the id for improved maintainability.
id: upload-clang-format-git
|
Labels have been automatically applied based on the Conventional Commits specification.🏷️ |
Codecov ReportAll modified and coverable lines are covered by tests ✅
@@ Coverage Diff @@
## main #265 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 11 11
Lines 439 439
=========================================
Hits 439 439 Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
lumirlumir
added a commit
that referenced
this pull request
Apr 2, 2025
…ch`) (#297) ## Release Information: `v1.3.3` New release of `lumirlumir/npm-clang-format-node` has arrived! 🎉 This PR bumps the package versions from `v1.3.2` to `v1.3.3` (`patch`). See [Actions](https://github.com/lumirlumir/npm-clang-format-node/actions/runs/14215733817) for more details. | Info | Value | | ----------- | -------------------------- | | Repository | `lumirlumir/npm-clang-format-node` | | SEMVER | `patch` | | Pre ID | `canary` | | Short SHA | ed550b4 | | Old Version | `v1.3.2` | | New Version | `v1.3.3` | <!-- Release notes generated using configuration in .github/release.yml at main --> ## What's Changed ### 🧰 Chores * chore(sync-server): update `lint-staged.config.js` by @lumirlumir in #259 * chore(sync-server): update `.editorconfig` `max_line_length` to `100000` by @lumirlumir in #260 * chore(website): add Codecov Vite plugin and update related configs for bundle analyzing by @lumirlumir in #266 * chore(website): conditionally enable bundle analysis in Codecov Vite plugin by @lumirlumir in #267 * chore(sync-server): update `.markdownlint.json` by @lumirlumir in #272 * chore(sync-server): update ESLint config and lint-staged to support markdown linting by @lumirlumir in #275 * chore(sync-server): update `FUNDING.yml` by @lumirlumir in #285 * chore(website): update `package.json` and rename `.mjs` to `.js` by @lumirlumir in #286 * chore(sync-server): update root level configuration files and fix typos by @lumirlumir in #293 * chore(*): update `tsconfig.json` by @lumirlumir in #296 ### 🔄 Continuous Integrations * ci(sync-server): add permissions to read contents in `lint.yml` and `test.yml` workflows by @lumirlumir in #256 * ci(sync-server): add permissions to `pull-request.yml` and `sync-client.yml` by @lumirlumir in #257 * ci(*): add read permissions to `test-cross-platform.yml` by @lumirlumir in #258 * ci(*): update `llvm-build-bump-pr.yml` to add `permissions` and disable `fail-fast` strategy by @lumirlumir in #264 * ci(*): update `llvm-build-bump-pr.yml` to enhance permissions and add build provenance attestations by @lumirlumir in #265 * ci(*): create `release.yml` by @lumirlumir in #281 ### 📝 Documentation * docs(*): delete maintainability badge from `README.md` by @lumirlumir in #287 ### ⬆️ Dependency Updates * chore(deps-dev): bump typescript from 5.7.3 to 5.8.2 by @dependabot in #252 * chore(deps-dev): bump prettier from 3.5.2 to 3.5.3 by @dependabot in #253 * chore(deps-dev): bump @types/node from 22.13.5 to 22.13.8 by @dependabot in #251 * chore(deps-dev): bump lerna from 8.2.0 to 8.2.1 by @dependabot in #254 * chore(deps-dev): bump @types/node from 22.13.8 to 22.13.9 by @dependabot in #255 * chore(deps-dev): bump @types/node from 22.13.9 to 22.13.10 by @dependabot in #261 * chore(deps-dev): bump eslint from 9.21.0 to 9.22.0 by @dependabot in #262 * chore(deps): bump axios from 1.7.7 to 1.8.2 in the npm_and_yarn group across 1 directory by @dependabot in #263 * chore(deps-dev): bump @babel/core from 7.26.9 to 7.26.10 in the babel group across 1 directory by @dependabot in #268 * chore(deps-dev): bump textlint from 14.4.2 to 14.5.0 by @dependabot in #270 * chore(deps-dev): bump vitepress-plugin-group-icons from 1.3.6 to 1.3.7 by @dependabot in #269 * chore(deps-dev): bump eslint-config-bananass from 0.0.5 to 0.0.6 in the bananass group across 1 directory by @dependabot in #273 * chore(deps-dev): bump lint-staged from 15.4.3 to 15.5.0 by @dependabot in #274 * chore(deps): bump shx from 0.3.4 to 0.4.0 by @dependabot in #276 * chore(deps-dev): bump vitepress-plugin-group-icons from 1.3.7 to 1.3.8 by @dependabot in #282 * chore(deps-dev): bump textlint-rule-allowed-uris from 1.0.8 to 1.0.9 by @dependabot in #283 * chore(deps-dev): bump eslint from 9.22.0 to 9.23.0 by @dependabot in #289 * chore(deps-dev): bump @types/node from 22.13.10 to 22.13.11 by @dependabot in #288 * chore(deps-dev): bump @babel/cli from 7.26.4 to 7.27.0 in the babel group across 1 directory by @dependabot in #291 * chore(deps-dev): bump @types/node from 22.13.11 to 22.13.13 by @dependabot in #290 * chore(deps-dev): bump @types/node from 22.13.13 to 22.13.14 by @dependabot in #292 * chore(deps-dev): bump textlint from 14.5.0 to 14.6.0 by @dependabot in #294 * chore(deps-dev): bump @types/node from 22.13.14 to 22.13.17 by @dependabot in #295 **Full Changelog**: v1.3.2...v1.3.3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request includes several updates to the
.github/workflows/llvm-build-bump-pr.ymlfile to enhance the build process and improve artifact handling. The most important changes include adding IDs to the artifact upload steps, incorporating build attestation steps, and updating permissions.Enhancements to the build process:
actions/attest-build-provenance@v2to attest build provenance for each uploaded artifact, ensuring the integrity and authenticity of the build outputs. [1] [2] [3] [4] [5]Permissions updates:
contents: readtoid-token: writeandattestations: writeto enable the new attestation steps.